diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-16 18:38:26 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-16 18:38:26 +0200 |
| commit | 0ddbda1f829a2d1b27d7e6519900201111702823 (patch) | |
| tree | 58caea96101eeb330a9490b3565ab3d751af0035 /fuzz | |
| parent | 47ea30fdaa4eb33d8150bbb0e7d57f9d92c41821 (diff) | |
Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)
Based on the paper: "OpenVPN is Open to VPN Fingerprinting"
See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen
Basic idea:
* the distribution of the first byte of the messages (i.e. the distribution
of the op-codes) is quite unique
* this fingerprint might be still detectable even if the OpenVPN packets are
somehow fully encrypted/obfuscated
The heuristic is disabled by default.
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/fuzz_config.cpp | 8 | ||||
| -rw-r--r-- | fuzz/fuzz_ndpi_reader.c | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 4fdfea776..4a5715551 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -242,6 +242,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 0x01 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "openvpn", "dpi.heuristics", cfg_value); + value = fuzzed_data.ConsumeIntegralInRange(0, 255 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + ndpi_set_config(ndpi_info_mod, "openvpn", "dpi.heuristics.num_messages", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 0x01 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, "openvpn", "subclassification_by_ip", cfg_value); } if(fuzzed_data.ConsumeBool()) { diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index 5f27ed3bf..ae8cac68c 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -89,6 +89,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ndpi_set_config(workflow->ndpi_struct, "stun", "max_packets_extra_dissection", "255"); ndpi_set_config(workflow->ndpi_struct, "zoom", "max_packets_extra_dissection", "255"); ndpi_set_config(workflow->ndpi_struct, "rtp", "search_for_stun", "1"); + ndpi_set_config(workflow->ndpi_struct, "openvpn", "dpi.heuristics", "0x01"); + ndpi_set_config(workflow->ndpi_struct, "openvpn", "dpi.heuristics.num_messages", "255"); ndpi_finalize_initialization(workflow->ndpi_struct); |